Reference » Services » LDAP Sync
LDAP Sync imports corporate Active Directory or POSIX LDAP structure into the Conjur environment. It extracts user and group identities from an existing, standard directory server so they can be incorporated into Conjur’s security infrastructure. Conjur recognizes and assimilates LDAP naming conventions so users and groups can be manipulated and managed by Conjur.
LDAP Sync is a one-way process with a read-only connection to the LDAP server. Any Conjur-based directory-management functions and modifications have no effect on the original LDAP database or user information. But specified changes or adjustments to the original LDAP naming model are integrated into the Conjur environment with each new synchronization. The sync retains LDAP-hierarchical information about groups and members.
Functional Overview
Conjur initiates a secure connection to the LDAP directory via a Conjur service that functions as an Authentication Proxy for LDAP communication. Sync parameters are established with a filtering mechanism for user and group accounts, so sync updates can be applied as needed. Likewise, directory attributes for mapping are defined prior to running the sync. Conjur tests the connection and the search criteria to confirm their accuracy before the synchronization is actually run.
Once the sync configuration is confirmed, security administrators can run an ad-hoc sync to load the users and groups into Conjur. In addition, they can also schedule a sync to occur on a regular basis, using an API to standard standard schedulers such as Cron, RunDeck, or a periodic Jenkins job.
Configuring LDAP Sync
LDAP Sync is configured in the Conjur UI. After configuration, a Conjur Policy is generated that can then be loaded into Conjur.
The remainder of this section illustrates how to configure LDAP Sync in the Conjur UI.
First, log into the Conjur UI dashboard and click on the
settings icon
in the top right-hand corner.
Select LDAP Sync.
1. Connect
Create a connection to an existing LDAP/AD installation.
Fields
- Connection type: Unencrypted, SSL, or TLS. Use this setting to control if encryption is used to communicate with the directory server.
If using SSL or TLS you must provide a PEM-formatted certificate in the SSL/TLS Certificate field. Note that this field is only visible if SSL or TLS is selected. Paste the contents of your certificate PEM into the field. The certificate may be a self-signed or signed by a CA. Ensure the configured hostname matches the certificate for successful connections. - Server & port: Hostname or IP address and port of your directory server.
- Base DN: Distinguished Name (DN) of the starting point for directory server searches.
- Bind DN: Distinguished Name (DN), including common name (CN), of a directory user account that has privileges to search for users.
- Search password: Password that corresponds to the user specified by Bind DN.
All fields for this step are required.
Click the Connect button to test the connection. On successful connection 2. Configure will be shown.
2. Configure
Narrow the sync search results and find specific users and groups to be imported, specifying which attributes to sync to Conjur.
The Conjur UI employs standard LDAP RFC strings for filtering searches. For filtering details consult with your LDAP/AD admin team, and refer to the Microsoft Developer Network for search-filter syntax information.
Please Note: Users need to be members of a selected group in order to be synced with Conjur. Users not part of a selected group will be dropped.
Fields
- User filter: Object Class (OC) of users to sync.
- Group filter: Object Class (OC) of groups to sync.
- User login: Attribute that maps to a user login name.
- UID number: Attribute that maps to a user ID, optional.
- SSH public key: Attribute that maps to user public SSH key, optional.
- Group name: Attribute that maps to group name.
- GID: Attribute that maps to group ID, optional.
Click the Test Configuration button to view the results of a directory search based on the filters that you entered. If the search results look incorrect, modify your filters and click Test Configuration Again to execute a new search. Repeat this process until the results are correct. Once you are satisfied with the search results, click the Save & Schedule button to save your settings. This will take you to the last step, 3. Sync.
3. Sync
Connection and filter settings have now been saved.
Trigger a sync by generating a Conjur Policy and loading it with the Conjur CLI. Output will look similar to this:
$ conjur ldap-sync policy show | tee ldap-sync.yml
---
- !user
annotations:
ldap-sync/source: 172.17.0.3:389
ldap-sync/upstream-dn: cn=Lucy Banks,dc=example,dc=org
id: Lucy Banks
owner: !group
id: conjur/ldap-sync
uidnumber: 4
- !group
annotations:
ldap-sync/source: 172.17.0.3:389
ldap-sync/upstream-dn: cn=_IT-OPS_,dc=example,dc=org
gidnumber: 10011
id: _IT-OPS_
owner: !group
id: conjur/ldap-sync
- !grant
member:
- !member
admin: false
role: !user
id: Lucy Banks
- !member
admin: true
role: !group
id: "/conjur/ldap-sync"
replace: true
role: !group
id: _IT-OPS_
$ conjur elevate policy load ldap-sync.yml
Authenticating thomas
Create user 'Lucy Banks'
Set annotation 'ldap-sync/source'
Set annotation 'ldap-sync/upstream-dn'
Create group '_IT-OPS_'
Set annotation 'ldap-sync/source'
Set annotation 'ldap-sync/upstream-dn'
Grant group '_IT-OPS_' to user 'Lucy Banks'
{"conjur:user:Lucy Banks":"zxp4wj11f5zfsrvzyty3n1qczr3p4c7hw39rzsfq31kazc4vsqe7n"}
API keys of newly-created users are returned after the policy is loaded.
View the Conjur UI to see that all users and groups have been successfully synchronized to Conjur.